This repository contains code examples for an app vulnerable to CVE-2024-21626 as well as an eBPF gadget to detect exploitation attempts.

This repoistory was created as part of this blog post.

The gadget program used to detect this vulnerability is for demonstration purposes only. It is not a full detection of CVE-2024-21626.

CVE-2024-21626 is a vulnerability in the runc container runtime, present in versions prior to v1.1.12. It relies on the fact that runc doesn't close a "leaked" file descriptor in a timely manner when creating or executing commands inside the container, causing the container to inherit that file descriptor and gain access to the host filesystem.

There are several ways to exploit this vulnerability. This repository how this vulnerability can be exploited at runtime.

You can read more about it here.

For this demo to work, you'll need to make sure your machine is running a runc verion <= 1.1.11.

leaky-app is a Go app that creates a symlink to the potentially leaked file descriptor. To build the docker image:

make leaky-app

In order to build the eBPF gadget, you'll need to [ig] tool. You can build the gadget using:

make gadget

Once both are built, run the gadget using:

IG_EXPERIMENTAL=true sudo -E ig run trace-symlink:latest

Open another shell and start the leaky-app container:

docker run --rm --name leaky-app leaky-app

You should see the gadget outputs the container that called the symlink syscall.

This repository contains a demonstration application designed to showcase the detection CVE-2024-21626. It is important to note that this demonstration is solely for educational purposes and should not be considered as a practical detection tool. The detection mechanisms implemented in this demo do not cover all scenarios or accurately represent the complexities of detecting this vulnerability.